mozilla

Geo IP DecoderΒΆ

New in version 0.6.

Plugin Name: GeoIpDecoder

Decoder plugin that generates GeoIP data based on the IP address of a specified field. It uses the GeoIP Go project as a wrapper around MaxMind’s geoip-api-c library, and thus assumes you have the library downloaded and installed. Currently, only the GeoLiteCity database is supported, which you must also download and install yourself into a location to be referenced by the db_file config option. By default the database file is opened using “GEOIP_MEMORY_CACHE” mode. This setting is hard- coded into the wrapper’s geoip.go file. You will need to manually override that code if you want to specify one of the other modes listed here.

Note

Due to external dependencies, this plugin is not compiled in to the released Heka binaries. It will automatically be included in a source build if GeoIP.h is available in the include path during build time. The generated binary will then only work on machines with the appropriate GeoIP shared library (e.g. libGeoIP.so.1) installed.

Note

If you are using this with the ES output you will likely need to specify the raw_bytes_fields option for the target_field specified. This is required to preserve the formatting of the JSON object.

Config:

  • db_file:

    The location of the GeoLiteCity.dat database. Defaults to “/var/cache/hekad/GeoLiteCity.dat”

  • source_ip_field:

    The name of the field containing the IP address you want to derive the location for.

  • target_field:

    The name of the new field created by the decoder. The decoder will output a JSON object with the following elements:

    • latitude: string,

    • longitude: string,

    • location: [ float64, float64 ],
    • coordinates: [ string, string ],

    • countrycode: string,

    • countrycode3: string,

    • region: string,

    • city: string,

    • postalcode: string,

    • areacode: int,

    • charset: int,

    • continentalcode: string

[apache_geoip_decoder]
type = "GeoIpDecoder"
db_file="/etc/geoip/GeoLiteCity.dat"
source_ip_field="remote_host"
target_field="geoip"